Applying Policies to Subnets

1. A method performed by a data apparatus, the method comprising: maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types, wherein each subnet has an associated client type and an associated policy; receiving, from a client device that is on the network, a request to access a resources that is hosted on the network; responsive to receiving the request, determining, for the client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted; comparing, for the client device, (i) the determined client type of the client device with (ii) the determined client type associated with the subnet on which the client device is hosted; and responsive to a determination that the client type of the client device does not match the client type associated with the subnet that hosts the client device, performing a corrective action while maintaining the client device on at least one of the plurality of subnets.

2. The method of claim 1 , wherein the corrective action comprises blocking access to the resource that is on the network.

3. The method of claim 1 , wherein the corrective action comprises one of the group consisting of generating an alert that identifies the client device, redirecting a request from the client device to a webpage, and moving the client device to a different subnet.

4. The method of claim 1 , wherein maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types comprises maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types and a plurality of parameters, wherein each client type has an associated parameter; and wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: passively monitoring network traffic of the client devices; examining a parameter of the passively monitored network traffic; and comparing the parameter of the passively monitored network traffic with the associated parameters of the client types of the maintained associations.

5. The method of claim 4 , wherein the parameter of the passively monitored network traffic is a User-Agent header.

6. The method of claim 1 , wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: redirecting at least some network traffic of the client devices to a server on the network; receiving, at the server on the network, the redirected traffic; and examining a parameter of the redirected traffic.

7. The method of claim 6 , wherein the parameter of the redirected traffic is a cookie.

8. The method of claim 6 , wherein the server is a transparent proxy configured to transparently route the redirected traffic to the redirected traffic's original destination.

9. The method of claim 1 , wherein: the network includes a first subnet and a second subnet; stationary clients are associated with the first subnet; bring-your-own-device clients are associated with the second subnet; and a more restrictive policy is associated with the second subnet and a less restrictive policy is associated with the first subnet.

10. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising: maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types, wherein each subnet has an associated client type and an associated policy; receiving, from a client device that is on the network, a request to access a resources that is hosted on the network; responsive to receiving the request, determining, for the client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted; comparing, for the client device, (i) the determined client type of the client device with (ii) the determined client type associated with the subnet on which the client device is hosted; and responsive to a determination that the client type of the client device does not match the client type associated with the subnet that hosts the client device, performing a corrective action while maintaining the client device on at least one of the plurality of subnets.

11. The computer storage media of claim 10 , wherein the corrective action comprises blocking access to the resource that is on the network.

12. The computer storage media of claim 10 , wherein the corrective action comprises one of the group consisting of generating an alert that identifies the client device, redirecting a request from the client device to a webpage, and moving the client device to a different subnet.

13. The computer storage media of claim 10 , wherein maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types comprises maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types and a plurality of parameters, wherein each client type has an associated parameter; and wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: passively monitoring network traffic of the client devices; examining a parameter of the passively monitored network traffic; and comparing the parameter of the passively monitored network traffic with the associated parameters of the client types of the maintained associations.

14. The computer storage media of claim 13 , wherein the parameter of the passively monitored network traffic is a User-Agent header.

15. The computer storage media of claim 10 , wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: redirecting at least some network traffic of the client devices to a server on the network; receiving, at the server on the network, the redirected traffic; and examining a parameter of the redirected traffic.

16. The computer storage media of claim 15 , wherein the parameter of the redirected traffic is a cookie.

17. The computer storage media of claim 15 , wherein the server is a transparent proxy configured to transparently route the redirected traffic to the redirected traffic's original destination.

18. The computer storage media of claim 10 , wherein: the network includes a first subnet and a second subnet; stationary clients are associated with the first subnet; bring-your-own-device clients are associated with the second subnet; and a more restrictive policy is associated with the second subnet and a less restrictive policy is associated with the first subnet.

19. A system comprising: one or more processors configured to execute computer program instructions; and computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operation comprising: maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types, wherein each subnet has an associated client type and an associated policy; receiving, from a client device that is on the network, a request to access a resources that is hosted on the network; responsive to receiving the request, determining, for the client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted; comparing, for the client device, (i) the determined client type of the client device with (ii) the determined client type associated with the subnet on which the client device is hosted; and responsive to a determination that the client type of the client device does not match the client type associated with the subnet that hosts the client device, performing a corrective action while maintaining the client device on at least one of the plurality of subnets.

20. The system of claim 19 , wherein the corrective action comprises blocking access to the resource that is on the network.

21. The system of claim 19 , wherein the corrective action comprises one of the group consisting of generating an alert that identifies the client device, redirecting a request from the client device to a webpage, and moving the client device to a different subnet.

22. The system of claim 19 , wherein maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types comprises maintaining associations among a plurality of subnets of a network, a plurality of policies, and a plurality of client types and a plurality of parameters, wherein each client type has an associated parameter; and wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: passively monitoring network traffic of the client devices; examining a parameter of the passively monitored network traffic; and comparing the parameter of the passively monitored network traffic with the associated parameters of the client types of the maintained associations.

23. The system of claim 22 , wherein the parameter of the passively monitored network traffic is a User-Agent header.

24. The system of claim 19 , wherein determining, for a client device, (i) a client type of the client device, and (ii) a client type associated with the subnet on which the client device is hosted comprises: redirecting at least some network traffic of the client devices to a server on the network; receiving, at the server on the network, the redirected traffic; and examining a parameter of the redirected traffic.

25. The system of claim 24 , wherein the parameter of the redirected traffic is a cookie.

26. The system of claim 24 , wherein the server is a transparent proxy configured to transparently route the redirected traffic to the redirected traffic's original destination.

27. The system of claim 19 , wherein: the network includes a first subnet and a second subnet; stationary clients are associated with the first subnet; bring-your-own-device clients are associated with the second subnet; and a more restrictive policy is associated with the second subnet and a less restrictive policy is associated with the first subnet.